I will use three virtual machines deployed on a single Hyper-V host: DC01, ATA-Center and ATA-Gateway.

ATA Requirements

ATA Center: we need two static IP addresses, one will be used by the ATA center service to communicate securely with the ATA gateways, and the second one will be used by the ATA console. The ATA console runs on Microsoft IIS.

ATA Gateway: we need two network adapters, one with IP Address for the ATA Gateway to communicate to the ATA center and devices on the network, and the second network card without IP Address for capturing the port mirrored network traffic of the domain controllers.

Network traffic to and from the domain controllers is one of the sources of information used by the ATA, to get this information we must configure port mirroring to copy the network traffic to and from the domain controller to the ATA Gateway. The domain controller is configured as the Source, this will copy all network traffic on the virtual switch to the virtual machine (ATA-Gateway) that is configured as destination.

The ATA Gateway is configured as the Destination.

Finally, we need a read only user in the domain. ATA requires a user account that has read access to the domain. ATA will use this user account to query the domain for information about entities in the domain including users and computers.

ATA Installation

Login to the ATA Center server as administrator and launch the Microsoft ATA Center Setup.exe file.

In large deployments you’ll want the database and the database journal folders on separate physical drives.

Select the IP that the ATA Centers Service will be bound to, then select create self-signed certificate, self-signed certificates are for lab environments and testing only. However, in production deployments you should use certificates issued by your internal CA server, next select the IP that will be used by IIS for the ATA console. Then select create self-signed certificate, and lastly click Install.

When the installation is done, click Launch to connect to the ATA console.

Now you can login with the same username and password you used to install the MTA Center, the first time you login you’ll be prompted to enter the read only user and password and a fully qualified domain name or the FQDN of the domain, once you enter the username and password, click Save.

After saving the domain connectivity settings, you can now install the ATA gateway by downloading the ATA gateway setup package now.

Now, we are moving to the server where we will install the ATA Gateway.

In the ATA gateway configuration section review the default location for the installation and then select create self-signed certificate.

Next, you’ll need to enter the username and password of the user who can access the ATA console. You can also enter a user who is a member of the total local administrators group or the Microsoft advanced trade analytics administrators group on the ATA Center server.

Click Install.

Now the installation will register the ATA Gateway with the ATA Center. Pull down the initial configuration and install the ATA Gateway service.

After the installation finishes, click Launch to connect to the ATA console and continue the configuring the ATA Gateway.

Login to the ATA Console and select the 3 dots on the toolbar, and then click Configuration.

On the gateway’s page, you will see the ATA gateway that was just installed, you’ll also see a alert that the ATA Gateway requires additional configuration.

This additional configuration is needed for the ATA Gateway to start collecting data. After the initial Synch completes, click on the gateway title and the setting section will automatically open.

You can add a Description for the ATA Gateway, enter the FQDN of the domain controller that will be monitored.

In this demo, the FQDN of my domain controller is DC01.VIRT.LAB. Choose which network adapter is configured as the port mirrored adapter, in my case it’s called (Capture). Lastly click Save.

At this point the ATA Gateway will pull down the updated configuration, you can now start to capture the port mirrored domain controller traffic.

To verify that ATA is working, you can search for various objects from the domain controller. simply enter the first few letters and the search will display all entities that match. I will select Super Virt user to see the profile created by ATA for that user.

Congratulations

Simulate Attack

In this demo I will simulate a sensitive Account Credentials Exposed

1. I will create and add a test user to the “Domain Admins” group
2. From a standalone server that have TCP connection to my DC, I will run ldp.exe3. I will Choose: Connection –> Connect – and type the DC’s IP address
4. I will Choose: Connection –> Bind – and select the “Simple bind” option
5. Lastly, I will provide the credentials of the test user with the format: domain\username

We will wait a few seconds… Let’s login to the ATA Center Console and check.

Like this:

Charbel Nemnom is a Microsoft Cloud Consultant and Technical Evangelist, totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 15 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize performance of mission-critical enterprise systems. Excellent communicator adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design and virtualization.